CVE-2021-36915 Cozmoslabs Profile Builder plugin = 3.6.0 has a CSRF vulnerability that allows uploading the JSON file and updating the options.

Plugin can be exploited by logged in user or by user with WordPress administrator role. Attack can be performed via vulnerable online import/export functionality, file upload or by CSRF. The plugin does not have any form of validation on the uploaded JSON file contents, making it possible to inject malicious code or download and execute remote code. Attack can be performed by logged in user or by user with WordPress administrator role. The plugin does not have any form of validation on the uploaded JSON file contents, making it possible to inject malicious code or download and execute remote code.

Details

This vulnerability allows an attacker to exploit the plugin via vulnerable online import/export functionality, file upload or by CSRF.
The plugin does not have any form of validation on the uploaded JSON file contents, which makes it possible to inject malicious code or download and execute remote code. This can be performed by logged in user or by user with WordPress administrator role.

Mitigation and detection Mitigation:

- Disabling online import/export functionality.
- Restricting access to files that do not need to be uploaded (e.g., theme and plugin files).
- Adding restrictions to CSRF token, ensuring that only the current session is allowed to submit form data.

3 Ways to Exploitation

- The developer can use the vulnerable online import/export functionality to perform an attack. - The developer can use the file upload functionality to perform an attack. - The developer can use CSRF functionality to perform an attack

Credit: https://www.f5.com

The F5 Secure Web Gateway (SWG) is a web application firewall that helps protect your WordPress website from malicious attacks. The SWG is a plugin that sits within the WordPress dashboard and monitors incoming HTTP requests and outgoing HTTP responses to detect suspicious activity in your site. You can customize the rulesets, as well as generate notifications directly in the WordPress dashboard to keep you informed of any suspicious activity on your website.

The plugin doesn’t verify the JSON file contents

The plugin does not verify the JSON file contents, which means it is possible to inject malicious code or download and execute remote code.

Timeline

Published on: 10/11/2022 20:15:00 UTC
Last modified on: 10/13/2022 02:42:00 UTC

References

• https://wordpress.org/plugins/profile-builder/#developers
• https://patchstack.com/database/vulnerability/profile-builder/wordpress-profile-builder-plugin-3-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36915